Laid Off Worker Pleads Guilty in Medicaid IncidentFormer Employee at Contractor Damaged Oregon Medicaid System After Losing Job
A former Hewlett Packard Enterprise worker has pleaded guilty in federal court to intentionally damaging an Oregon Medicaid system and causing it to fail a few days after he was laid off by the vendor.
Security experts say the incident is another reminder of the threats posed by insiders, including those employed by vendors - even after they lose their jobs.
"Insiders perform a significantly larger amount of crime and malicious activities than is known," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"This does not mean that all insiders with access to sensitive and valuable data and systems will do bad things. However, there are enough opportunists who are in such positions and who know the systems and applications well enough to know how to commit crimes and malicious actions without getting caught."
In a statement Monday, the U.S. Department of Justice says Hossein Heydari, 61, of Gaithersburg, Maryland, pleaded guilty in an Oregon federal court to one count of fraud and related activity in a case involving cyber intrusion.
Prosecutors say Heydari was formerly employed by Hewlett Packard Enterprise as a system administrator and technical support specialist located in Maryland. As part of a Hewlett Packard contract with the Oregon Health Authority, Heydari had remote administrative access to Oregon's Medicaid Management Information System servers.
Court documents indicate that on Oct. 28, 2016, Heydari was laid off by Hewlett Packard. Three days later, on Oct. 31, he intentionally altered part of the MMIS system, the DOJ says.
"The defendant knowingly transmitted a command to alter the zone configuration on the SAN switches for the MMIS servers, intentionally causing the MMIS system to fail, resulting in an eight-hour loss of functionality for Oregon's MMIS system and its users," court documents note.
The incident caused "the impairment of the medical examination, diagnosis, treatment or care of individuals, and a threat to public health," prosecutors say.
The Oregon MMIS is a marketplace for medical care providers, pharmacies and patients to exchange eligibility information for care, prescriptions and other benefits provided by Medicaid.
Heydari faces a maximum sentence of 10 years in prison, a $250,000 fine and three years of supervised release. He is scheduled to be sentenced on Aug. 12.
As part of the plea agreement, Heydari has agreed to pay about $45,000 in restitution to the Oregon Health Authority and $32,000 to Hewlett Packard, the Justice Department says.
At the time Heydari was indicted in August 2017, Hewlett Packard told Information Security Media Group that the part of the business that Heydari worked for was spun off and became DXC Technology (see:Vendor's Ex-Employee Allegedly Shut Down Medicaid System).
In a DXC Technology press release issued in April 2017, the company notes that it officially launched as a business on April 1, 2017, as the result of a merger between Hewlett Packard Enteprise Services Division and Computer Sciences Corp. So, it appears that the alleged incident involving Heydari occurred before the spin-off.
The Oregon Health Authority did not immediately respond to ISMG's request for comment. Hewlett Packard Enterprise, DXC Technology and the public defender representing Heydari declined to comment.
Court documents indicate that prior to being laid off by Hewlett Packard Enterprise, Heydari worked on information management systems for Oregon and three other states. As part of his job duties, he had access to the servers that hold the MMIS data, the indictment document notes.
The Justice Department declined to comment on ISMG's inquiry about whether any of the other three states' Medicaid Management Information Systems suffered any alleged tampering related to the case against Heydari in Oregon.
Prosecutors also declined to comment on whether Heydari retained his authorized access credentials to the Medicaid systems even after his job at Hewlett Packard ended, or if he hacked into the Oregon system after his access privileges were terminated.
Security experts say organizations should act swiftly to prevent malicious activity by ex-employees.
Court documents note that Hewlett Packard gave Heydari two week's notice of his layoff.
"Removing access to all systems, applications and other resources should occur at the same time the termination decision is delivered to the employee," Herold says.
"Being laid off is an action that has resulted in a large percentage of employees doing bad things with continued access as a form of retaliation," she notes. "Heydari's access to everything should have been removed simultaneously with the termination news."
"The insider threat vector is rarely adequately addressed as part of the overarching cybersecurity program."
—Rich Curtiss, Coalfire
Organizations should have a documented employee termination policy and procedures, says Jon Moore, senior vice president and chief risk officer at security consultancy Clearwater Compliance.
"A step in the procedures should be the notification of IT. IT should be told who will be terminated and when to disable their access," he says.
The Oregon Medicaid incident "is as much about an organization managing its third-party risk as it is about the risk from a disgruntled employee," Moore says.
"To manage its risk, Oregon Health Authority should have had procedures in place with its contractor or received some level of assurance that its contractor had procedures in place to ensure that employees or former employees that no longer required access to its systems had their user accounts and passwords disabled," Moore says. The authority also should have changed the administrative password for the affected system at the time of the employee's termination, he adds.
Organizations should specify in their vendor contracts that the company provide notification when one of its employees leaves a job, Herold notes. "If the employee provided support for a business client, then all business clients should be notified as soon as possible that the person no longer works for you, and that the client should not allow the ex-employee continued access."
Other Steps to Take
In addition to quickly terminating employee's access to computers, Herold says organization should take additional steps to prevent potential retaliatory actions.
"All admin accounts, or other types of shared accounts, to which the terminated person had access, should have the passwords changed immediately. Access to all social media accounts should be removed," she says.
Rich Curtiss, principal of healthcare risk assurance services at the consultancy Coalfire, says many organizations do not take insider threats seriously and do not change terminated employees' privileged authentication credentials, such as user IDs and passwords on internal systems.
"A privileged user is said to have the 'keys to the kingdom' - this isn't far from the truth," he says. "When a user with elevated privileges to an IT system or infrastructure is terminated, any and all accounts that were accessible to them must be changed. This is and has been a best practice for a long time, but, unfortunately, it is not always implemented since it impacts many people and organizational departments."
Entities that have implemented multifactor authentication also need to remember that "if the user's access to the accounts hasn't been disabled, neither will the MFA be," he notes.
Technologies are available that rotate privileged authentication credentials to ensure access requirements are changed automatically to protect against this type of attack, Curtiss adds.
Moore suggests that organizations should consider taking additional steps to prevent malicious activities by insiders, including former workers, such as:
- Conduct an enterprisewide risk analysis paying particular attention to risks associated with a malicious actor;
- Conduct an audit to detect inappropriately granted access or access that still exists from previous job roles/functions and should be removed;
- Make sure that physical security controls are sufficient to prevent access to facilities.
"I suspect that many cases of employee cybercrime are not reported publicly, as they reflect negatively on corporate culture and brand as well as internal security controls, unless the incident triggers required reporting rules," Curtiss says.
"In the healthcare sector, I suspect employee cybercrime goes unreported - or under-reported - unless the incident triggers the HIPAA breach notification reporting protocol or some other federal, state, county or city reporting requirement."
Some organizations likely choose not to report insider incidents out of fear the reports will draw scrutiny by regulators, he says.
"The insider threat vector is rarely adequately addressed as part of the overarching cybersecurity program," Curtiss adds. "A robust and well-managed cybersecurity program should have a specific set of protocols, policies and procedures with appropriate checks and balances to minimize the impact of the insider threat."